Security Policies Flashcards
Definition: Memory Safety
Memory safety is a general property that can apply to a program, a runtime environment, or a programming language
-> program is memory safe, if all possible executions are safe
-> runtime environment is memory safe, if all runnable programs are safe
-> programming language is safe, if all expressible programs are safe
- Memory safety is violated when undefined memory is accessed (undefined, out-of-bounds, deallocated)
Definition: Spatial Memory Safety
Spatial memory safety is a property that ensures that all memory dereferences are within bounds of their pointer’s valid objects. An object’s bounds are defined when the object is allocated. Any computed pointer to that object inherits the bounds of the object. Any pointer arithmetic can only result in a pointer inside the same object. Pointers that point outside of their associated object may not be dereferenced. Dereferencing such illegal pointers results in a spatial memory safety error and undefined behavior.
Definition: Temporal Memory Safety
Temporal memory safety is a property that ensures that all memory dereferences are valid at the time of the dereference, i.e., the pointed-to object is the same as when the pointer was created. When an object is freed, the underlying memory is no longer associated to the object and the pointer is no longer valid. Dereferencing such an invalid pointer results in a temporal memory safety error and undefined behavior.
Object-based vs. pointer-based memory safety for C/C++
- Object-based policies store metadata (size, location) for each allocated object (but none for pointers)
-> allow you to check if an access targets a valid object
-> lower security & lower overhead - Pointer-based policies store metadata for each pointer
-> allow you to verify if each access is correct for each pointer
Type Safety
Type-safe code accesses only the memory locations it is authorized to access
How can you ensure memory safety?
- Other programming languages replace pointers with references and therefore prevent direct memory access
- Garbage collector
- fat pointers (store metadata) and never NULL
Soft Bound
Compiler-based instrumentation to enforce spatial memory safety for C/C++
- Idea: keep information about all pointers in disjoint metadata, indexed by pointer location (based, bound)
- Check bounds whenever pointer is dereferenced
CETS
- Each allocated memory object and pointer is assigned a unique version. Upon dereference, check if the pointer version is equal to the version of the memory object.
- Two failure conditions: area was deallocated and version is smaller (0) or area was reallocated to new object and the version is larger.
- Good for temporal Memory Safety